About versioning

We respect SemVer here. However, the “public API” of this package is not the user-facing API of the service itself, but is considered to be the set of configuration and services that this package and its dependencies use. Accordingly, follow these rules:

MAJOR must be incremented if a change on configuration, system, or third-party service is required, or if any of the dependencies has a major increment

MINOR must be incremented if any of the dependencies has a minor increment

PATCH must be incremented if no major nor minor increment is necessary.

In other words, minor and patch versions are uncomplicated and can be deployed automatically, and major releases are very likely to require specific actions somewhere in the architecture.

CHANGELOG

This document describes changes between each past release as well as
the version control of each dependency.

Fix a bug where you could not reach the last records via Next-Header when deleting with pagination (Kinto/kinto#1170)

Slight optimizations on the get_all() query in the Postgres
storage backend which should make it faster for result sets that
have a lot of records (Kinto/kinto#1622). This is the first change meant to
address Kinto/kinto#1507, though more can still be done.

Fix a bug where the batch route accepted all content-types (Kinto/kinto#1529)

kinto-fxa

Introduce new kinto_fxa.scripts. Right now the only script available
is process-account-events, which listens to an SQS queue for user
delete events and deletes data from that user’s default bucket, in
order to comply with GDPR. (Kinto/kinto-fxa#55)

The preview collection signature is now refreshed along the destination (kinto/kinto-signer#236)

Tracking fields are now documented and new ones were added (last_edit_date, last_request_review_date, last_review_date and last_signature_date) (kinto/kinto-signer#137)

Deprecations

The collection specific settings must now be separated with . instead of _.
(eg. use kinto.signer.staging.certificates.editors_group instead of kinto.signer.staging_certificates.editors_group) (kinto/kinto-signer#224)

Internal changes

Now log an INFO message when the CloudFront invalidation request is sent (kinto/kinto-signer#238)

kinto-attachment

The collection specific use_content_encoding setting must now be separated with . instead of _.
(eg. use kinto.attachment.resources.bid.cid.use_content_encoding instead of kinto.attachment.resources.bid_cid.use_content_encoding) (fixes kinto/kinto-attachment#134)

6.0.2 (2018-04-06)

kinto

Since Kinto 8.2.0 the account plugin had a security flaw where the password wasn’t verified during the session duration.
It now validates the account user password even when the session is cached (Kinto/kinto#1583).

5.2.1 (2018-02-09)

kinto

Restore “look before you leap” behavior in the Postgres storage
backend create() method to check whether a record exists before
running the INSERT query (#1487). This check is “optimistic” in the sense
that we can still fail to INSERT after the check succeeded, but it
can reduce write load in configurations where there are a lot of
create()s (i.e. when using the default_bucket plugin).

5.1.2 (2018-01-24)

kinto

Flushing a server no longer breaks migration of the storage backend
(#1460). If you have ever flushed a server in the past, migration
may be broken. This version of Kinto tries to guess what version of
the schema you’re running, but may guess wrong. See
https://github.com/Kinto/kinto/wiki/Schema-versions for some
additional information.

Internal changes

We now allow migration of the permission backend’s schema.

Operational concerns

The schema for the Postgres permission backend has changed. This
changes another ID column to use the “C” collation, which should
speed up the delete_object_permissions query when deleting a
bucket.

The schema for the Postgres storage backend has changed. This
changes some ID columns to use the “C” collation, which will make
delete_all queries faster. (See
e.g. https://www.postgresql.org/docs/9.6/static/indexes-opclass.html,
which says “If you do use the C locale, you do not need the
xxx_pattern_ops operator classes, because an index with the default
operator class is usable for pattern-matching queries in the C
locale.”) This may change the default sort order and grouping of
record IDs.

New features

New setting kinto.backoff_percentage to only set the backoff header a portion of the time.

make tdd allows development in a TDD style by rerunning tests every time a file is changed.

Bug fixes

Optimize the Postgres collection_timestamp method by one query. It
now only makes two queries instead of three.

5.0.0 (2017-11-29)

kinto

The schema for the Postgres ``storage`` backend has changed. This
lets us prevent a race condition where deleting and creating a thing
at the same time can leave it in an inconsistent state (#1386). You
will have to run the kinto migrate command in order to migrate
the schema. The safest way to do this is to disable Kinto traffic
(perhaps using nginx), bring down the old Kinto service, run the
migration, and then bring up the new Kinto service.

Breaking changes

Storage backends no longer support the ignore_conflict
argument (#1401). Instead of using this argument, consider catching the
UnicityError and handling it. ignore_conflict was only ever
used in one place, in the default_bucket plugin, and was
eventually backed out in favor of catching and handling a
UnicityError.

Bug fixes

Fix a TOCTOU bug in the Postgres storage backend where a transaction
doing a create() would fail because a row had been inserted after
the transaction had checked for it (#1376).

Document how to create an account using the POST /accounts endpoint (#1385).

Make it illegal for a principal to be present in
account_create_principals without also being in
account_write_principals. Restricting creation of accounts to
specified users only makes sense if those users are “admins”, which
means they’re in account_write_principals. (Kinto/kinto#1281)

Fix bug causing validation to always succeed if no required fields are present.

Several changes to the handling of NULLs and how the full range of
JSON values is compared in a storage backend (Kinto/kinto#1258, Kinto/kinto#1252,
Kinto/kinto#1215, Kinto/kinto#1216, Kinto/kinto#1217 and Kinto/kinto#1257).

Fix requests output when running with make serve (Kinto/kinto#1242)

Fix pagination on permissions endpoint (Kinto/kinto#1157)

Fix pagination when max fetch storage is reached (Kinto/kinto#1266)

Fix schema validation when internal fields like id or last_modified are
marked as required (Kinto/kinto#1244)

3.0.1 (2017-06-12)

3.0.0 (2017-06-12)

kinto

The flush endpoint is now a built-in plugin at kinto.plugins.flush and
should be enabled using the includes section of the configuration file.
KINTO_FLUSH_ENDPOINT_ENABLED environment variable is no longer supported. (#1147)

The default_bucket plugin no longer sends spurious “created”
events for buckets and collections that already exist. This causes
the quotas plugin to no longer leak “quota” when used with the
default_bucket plugin. (#1226)

2.2.0 (2017-05-25)

kinto

kinto rebuild-quotas script was written that can be run to
repair the damage caused by #1226 (fixes #1230).

Bug fixes

The default_bucket plugin no longer sends spurious “created”
events for buckets and collections that already exist. This causes
the quotas plugin to no longer leak “quota” when used with the
default_bucket plugin. (#1226)

kinto-signer

The API can now optionally rely on a workflow and can check that users changing collection status
belong to some groups (e.g. editors, reviewers). With that feature enabled,
the signature of the collection will have to follow this workflow:

an editor will request a review by setting the collection status to to-review;

a preview collection will be updated and signed so that QA can validate the changes
on the client side;

a reviewer — different from the last editor — will trigger the signature by setting
the status to to-sign as before.

In order to enable this feature, the following procedure must be followed:

0.7.0 (2016-07-19)

Kinto

Add new experimental endpoint GET /v1/permissions to retrieve the list of permissions
granted on every kind of object (#600).
Requires setting kinto.experimental_permissions_endpoint to be set to true.

kinto-signer

Update the last_modified value when updating the collection status and signature
(kinto/kinto-signer#97)

Trigger ResourceChanged events when the destination collection and records are updated
during signing. This allows plugins like kinto-changes and kinto.plugins.history
to catch the changes (kinto/kinto-signer#101)

0.6.1 (2016-07-13)

Kinto

Make sure the tombstone is deleted when the record is created with PUT. (#715)

Bump last_modified on record when provided value is equal to previous
in storage update() method (#713)

0.6.0 (2016-05-25)

This release moves to the Kinto 3 series. This version merges Cliquet
into kinto.core and all plugins have been updated to work with this
change. This is a change to code structure, but there is a
user-visible change, which is that settings referring to Cliquet
module paths should now be updated to refer to kinto.core. module
paths. For example:

Major version update. Merged cliquet into kinto.core. This is
intended to simplify the experience of people who are new to Kinto.
Addresses #687.

Removed initialize_cliquet(), which has been deprecated for a while.

Removed cliquet_protocol_version. Kinto already defines
incompatible API variations as part of its URL format (e.g. /v0,
/v1). Services based on kinto.core are free to use
http_api_version to indicate any additional changes to their
APIs.

Simplify settings code. Previously, public_settings could be
prefixed with a project name, which would be reflected in the output
of the hello view. However, this was never part of the API
specification, and was meant to be solely a backwards-compatibility
hack for first-generation Kinto clients. Kinto public settings
should always be exposed unprefixed. Applications developed against
kinto.core can continue using these names even after they transition
clients to the new implementation of their service.

kinto start now accepts a --port option to specify which port to listen to.
Important: Because of a limitation in [Pyramid tooling](http://stackoverflow.com/a/21228232/147077),
it won’t work if the port is hard-coded in your existing .ini file. Replace
it by %(http_port)s or regenerate a new configuration file with kinto init.

Add support for pool_timeout option in Redis backend (fixes #620)

Add new setting kinto.heartbeat_timeout_seconds to control the maximum duration
of the heartbeat endpoint (fixes #601)

Bug fixes

Fix internal storage filtering when an empty list of values is provided.

Authenticated users are now allowed to obtain an empty list of buckets on
GET /buckets even if no bucket is readable (#454)